Business Email Compromise Crackdown: 281 Suspects Busted

A global law enforcement effort has resulted in the arrests of 281 suspects allegedly involved in business email compromise scams, which continue to account for increasing losses, the Department of Justice said on Tuesday.

The announcement of the worldwide, four-month investigation, code named Operation reWired, arrived on the same day that the FBI's Internet Crime Complaint Center said global losses and attempted thefts from BEC scams increased by 100 percent over the last 14 months. The IC3 says it also identified a new type of payroll diversion scheme, which it believes is tied to BEC actors.

The bulk of the arrests announced this week - totaling 167 - occurred in Nigeria, which has long been a hub of romance scams as well as bogus lottery and inheritance schemes. In the U.S., authorities arrested 74 individuals, with arrests also occurring of 18 individuals in Turkey, 15 in Ghana, and others in the U.K., Japan, France, Italy, Kenya and Malaysia.

The DOJ says $3.7 million was seized in the U.S., where law enforcement undertook 214 separate actions, including arrests, sending warning letters to money mules as well as seizing assets. The investigation also involved tax fraud in the U.S., with some suspects allegedly stealing 250,000 identities and filing more than 10,000 bogus tax returns, netting $91 million in fraudulent refunds.

Business email compromise remains a devious and clever scheme. It can take a variety of forms but generally involves trying to trick an organization's employees into wiring or transferring money into fraudster-controlled accounts.

By gaining access to organizations' email accounts, fraudsters study how invoices are paid and seek to intervene, sometimes by changing invoices so fraudster's bank account numbers are listed instead of legitimate ones. It's a scheme that leverages blind trust in email, inattention to detail and social engineering.

How One Scheme Went Down

The DOJ highlighted some of the most high-value types of fraud schemes that occurred in the U.S., one of which shows interesting detail about how an alleged BEC fraud unfolded.

Two individuals arrested during the operations were Brittney Stokes, 27, of Country Club Hills, Illinois, and Kenneth Ninalowo, 40, of Chicago. The two are charged with laundering $1.5 million in proceeds from two BEC scams.

In the first scam, the duo is accused of defrauding a large community college in northern Illinois of $3.3 million. Around mid-2016, the college was due to make a payment to a Minneapolis construction company and received an email that purported to be from an accounting manager there.

The criminal complaint against Stokes and Ninalowo

The email requested that the college update its Automated Clearing House details for the construction company, which it did. The $3.3 million was sent to that new bank account. Once it arrived, the money was split into smaller checks - each one with a value less than $10,000 - and sent to various other companies.

Bank of America ended up freezing the account due to the suspicious splitting activity, and most of the money was retuned to the college. But one check for $398,220 was issued to Steno Logistics, a company registered just a day before the college received emails asking it to change its ACH details, law enforcement officials say.

Steno Logistics was registered as a corporation in Illinois under the name "Brittany Stokes," a slight variation of the suspect's real name, the complaint says. The president of Stokes Logistics was listed as Stokes' mother, prosecutors allege. Stokes allegedly deposited the check at a Bank of America branch, but the bank filed a suspicious activity report and shut down the Steno Logistics account.

The two suspects are also accused of defrauding an unnamed energy company, which is based in Houston, starting around December 2017. The energy company fell for the same ACH switch. But this time, there was a twist. The fraudsters compromised an employee's account at one of the energy company's suppliers.

The settings on the compromised employee's account were changed to forward new emails to the fraudster's account - a common trick. The energy company changed the ACH details after it received what it believed to be legitimate information from its supplier, prosecutors allege. The energy company ended up sending more than $500,000 to the account, and then later, about $1.7 million to another Steno Logistics account.

About $3.6 million was recovered from both incidents, and investigators seized Stokes' Range Rover Velar S and $175,909 in cash from Ninalowo. He is accused of cutting checks from the Steno Logistics account as well as physical withdrawals.

Payroll Shenanigans

The IC3's latest statistics paint a sobering picture of BEC scams. Between June 2016 and July, the total exposed global dollar loss amount - which includes both stolen funds and attempts - rose to $26.2 billion worldwide. The increase is partly attributed to more awareness of the scams, resulting in more reports filed with law enforcement, the IC3 says.

Payroll diversion has been a problem for a long time. The scam has been perpetrated on the victim side by gaining access to the employee's account and altering the routing to another account, the IC3 says.

But the IC3 says it has seen more reports involving email. HR or payroll officials will get an email from an employee asking to change their direct deposit details. The request comes after fraudsters have compromised the employee's email account.

"The dollar loss of direct deposit change requests increased more than 815 percent between Jan. 1, 2018, and June 30, 2019 as there was minimal reporting of this scheme in IC3 complaints prior to January 2018," the IC3 says. Complaints during that period for that BEC variation numbered 1,053 for a total of $8.3 million in fraud, the IC3 says.

Paranoia Helps Protect Against BEC

BEC scams rely on organizations falling for phishing schemes and inattention to detail, such as a failure to spot a look-alike domain.

But there are plenty of ways to counter the common techniques that fraudsters use, including through process and security awareness training. Some of the methods involved slowing down transactions, carefully double-checking of account change requests, making confirmation phone calls using a pre-approved list of phone numbers, and having a keen eye for spoofed emails. But a few safety checks can save businesses from suffering massive, unrecoverable financial losses.

Organizations should also watch out for tampered email accounts by checking if settings have been changed to other email addresses outside the organization, which is one way BEC scammers maintain a lurking presence (see: Business Email Compromise: Must-Have Defenses).

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;